projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
configuration of different marks for inbound and outbound direction
[strongswan.git] / src / libcharon / plugins / uci / uci_config.c
1 /*
2 * Copyright (C) 2008 Thomas Kallenberg
3 * Copyright (C) 2008 Tobias Brunner
4 * Copyright (C) 2008 Martin Willi
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #define _GNU_SOURCE
19 #include <string.h>
20
21 #include "uci_config.h"
22 #include "uci_parser.h"
23
24 #include <daemon.h>
25
26 typedef struct private_uci_config_t private_uci_config_t;
27
28 /**
29 * Private data of an uci_config_t object
30 */
31 struct private_uci_config_t {
32
33 /**
34 * Public part
35 */
36 uci_config_t public;
37
38 /**
39 * UCI parser context
40 */
41 uci_parser_t *parser;
42 };
43
44 /**
45 * enumerator implementation for create_peer_cfg_enumerator
46 */
47 typedef struct {
48 /** implements enumerator */
49 enumerator_t public;
50 /** currently enumerated peer config */
51 peer_cfg_t *peer_cfg;
52 /** inner uci_parser section enumerator */
53 enumerator_t *inner;
54 } peer_enumerator_t;
55
56 /**
57 * create a proposal from a string, with fallback to default
58 */
59 static proposal_t *create_proposal(char *string, protocol_id_t proto)
60 {
61 proposal_t *proposal = NULL;
62
63 if (string)
64 {
65 proposal = proposal_create_from_string(proto, string);
66 }
67 if (!proposal)
68 { /* UCI default is aes/sha1 only */
69 if (proto == PROTO_IKE)
70 {
71 proposal = proposal_create_from_string(proto,
72 "aes128-aes192-aes256-sha1-modp1536-modp2048");
73 }
74 else
75 {
76 proposal = proposal_create_from_string(proto,
77 "aes128-aes192-aes256-sha1");
78 }
79 }
80 return proposal;
81 }
82
83 /**
84 * create an traffic selector, fallback to dynamic
85 */
86 static traffic_selector_t *create_ts(char *string)
87 {
88 if (string)
89 {
90 int netbits = 32;
91 host_t *net;
92 char *pos;
93
94 string = strdupa(string);
95 pos = strchr(string, '/');
96 if (pos)
97 {
98 *pos++ = '\0';
99 netbits = atoi(pos);
100 }
101 else
102 {
103 if (strchr(string, ':'))
104 {
105 netbits = 128;
106 }
107 }
108 net = host_create_from_string(string, 0);
109 if (net)
110 {
111 return traffic_selector_create_from_subnet(net, netbits, 0, 0);
112 }
113 }
114 return traffic_selector_create_dynamic(0, 0, 65535);
115 }
116
117 /**
118 * create a rekey time from a string with hours, with fallback
119 */
120 static u_int create_rekey(char *string)
121 {
122 u_int rekey = 0;
123
124 if (string)
125 {
126 rekey = atoi(string);
127 if (rekey)
128 {
129 return rekey * 3600;
130 }
131 }
132 /* every 12 hours */
133 return 12 * 3600;
134 }
135
136 /**
137 * Implementation of peer_enumerator_t.public.enumerate
138 */
139 static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
140 {
141 char *name, *ike_proposal, *esp_proposal, *ike_rekey, *esp_rekey;
142 char *local_id, *local_addr, *local_net;
143 char *remote_id, *remote_addr, *remote_net;
144 child_cfg_t *child_cfg;
145 ike_cfg_t *ike_cfg;
146 auth_cfg_t *auth;
147 lifetime_cfg_t lifetime = {
148 .time = {
149 .life = create_rekey(esp_rekey) + 300,
150 .rekey = create_rekey(esp_rekey),
151 .jitter = 300
152 }
153 };
154
155 /* defaults */
156 name = "unnamed";
157 local_id = NULL;
158 remote_id = NULL;
159 local_addr = "0.0.0.0";
160 remote_addr = "0.0.0.0";
161 local_net = NULL;
162 remote_net = NULL;
163 ike_proposal = NULL;
164 esp_proposal = NULL;
165 ike_rekey = NULL;
166 esp_rekey = NULL;
167
168 if (this->inner->enumerate(this->inner, &name, &local_id, &remote_id,
169 &local_addr, &remote_addr, &local_net, &remote_net,
170 &ike_proposal, &esp_proposal, &ike_rekey, &esp_rekey))
171 {
172 DESTROY_IF(this->peer_cfg);
173 ike_cfg = ike_cfg_create(FALSE, FALSE,
174 local_addr, IKEV2_UDP_PORT, remote_addr, IKEV2_UDP_PORT);
175 ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
176 this->peer_cfg = peer_cfg_create(
177 name, 2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
178 1, create_rekey(ike_rekey), 0, /* keytries, rekey, reauth */
179 1800, 900, /* jitter, overtime */
180 TRUE, 60, /* mobike, dpddelay */
181 NULL, NULL, /* vip, pool */
182 FALSE, NULL, NULL); /* mediation, med by, peer id */
183 auth = auth_cfg_create();
184 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
185 auth->add(auth, AUTH_RULE_IDENTITY,
186 identification_create_from_string(local_id));
187 this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, TRUE);
188
189 auth = auth_cfg_create();
190 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
191 if (remote_id)
192 {
193 auth->add(auth, AUTH_RULE_IDENTITY,
194 identification_create_from_string(remote_id));
195 }
196 this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
197
198 child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
199 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
200 NULL, NULL);
201 child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
202 child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
203 child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));
204 this->peer_cfg->add_child_cfg(this->peer_cfg, child_cfg);
205 *cfg = this->peer_cfg;
206 return TRUE;
207 }
208 return FALSE;
209 }
210
211 /**
212 * Implementation of peer_enumerator_t.public.destroy
213 */
214 static void peer_enumerator_destroy(peer_enumerator_t *this)
215 {
216 DESTROY_IF(this->peer_cfg);
217 this->inner->destroy(this->inner);
218 free(this);
219 }
220
221 /**
222 * Implementation of backend_t.create_peer_cfg_enumerator.
223 */
224 static enumerator_t* create_peer_cfg_enumerator(private_uci_config_t *this,
225 identification_t *me,
226 identification_t *other)
227 {
228 peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
229
230 e->public.enumerate = (void*)peer_enumerator_enumerate;
231 e->public.destroy = (void*)peer_enumerator_destroy;
232 e->peer_cfg = NULL;
233 e->inner = this->parser->create_section_enumerator(this->parser,
234 "local_id", "remote_id", "local_addr", "remote_addr",
235 "local_net", "remote_net", "ike_proposal", "esp_proposal",
236 "ike_rekey", "esp_rekey", NULL);
237 if (!e->inner)
238 {
239 free(e);
240 return NULL;
241 }
242 return &e->public;
243 }
244
245 /**
246 * enumerator implementation for create_ike_cfg_enumerator
247 */
248 typedef struct {
249 /** implements enumerator */
250 enumerator_t public;
251 /** currently enumerated ike config */
252 ike_cfg_t *ike_cfg;
253 /** inner uci_parser section enumerator */
254 enumerator_t *inner;
255 } ike_enumerator_t;
256
257 /**
258 * Implementation of peer_enumerator_t.public.enumerate
259 */
260 static bool ike_enumerator_enumerate(ike_enumerator_t *this, ike_cfg_t **cfg)
261 {
262 char *local_addr, *remote_addr, *ike_proposal;
263
264 /* defaults */
265 local_addr = "0.0.0.0";
266 remote_addr = "0.0.0.0";
267 ike_proposal = NULL;
268
269 if (this->inner->enumerate(this->inner, NULL,
270 &local_addr, &remote_addr, &ike_proposal))
271 {
272 DESTROY_IF(this->ike_cfg);
273 this->ike_cfg = ike_cfg_create(FALSE, FALSE, local_addr, IKEV2_UDP_PORT,
274 remote_addr, IKEV2_UDP_PORT);
275 this->ike_cfg->add_proposal(this->ike_cfg,
276 create_proposal(ike_proposal, PROTO_IKE));
277
278 *cfg = this->ike_cfg;
279 return TRUE;
280 }
281 return FALSE;
282 }
283
284 /**
285 * Implementation of ike_enumerator_t.public.destroy
286 */
287 static void ike_enumerator_destroy(ike_enumerator_t *this)
288 {
289 DESTROY_IF(this->ike_cfg);
290 this->inner->destroy(this->inner);
291 free(this);
292 }
293
294 /**
295 * Implementation of backend_t.create_ike_cfg_enumerator.
296 */
297 static enumerator_t* create_ike_cfg_enumerator(private_uci_config_t *this,
298 host_t *me, host_t *other)
299 {
300 ike_enumerator_t *e = malloc_thing(ike_enumerator_t);
301
302 e->public.enumerate = (void*)ike_enumerator_enumerate;
303 e->public.destroy = (void*)ike_enumerator_destroy;
304 e->ike_cfg = NULL;
305 e->inner = this->parser->create_section_enumerator(this->parser,
306 "local_addr", "remote_addr", "ike_proposal", NULL);
307 if (!e->inner)
308 {
309 free(e);
310 return NULL;
311 }
312 return &e->public;
313 }
314
315 /**
316 * implements backend_t.get_peer_cfg_by_name.
317 */
318 static peer_cfg_t *get_peer_cfg_by_name(private_uci_config_t *this, char *name)
319 {
320 enumerator_t *enumerator;
321 peer_cfg_t *current, *found = NULL;
322
323 enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
324 if (enumerator)
325 {
326 while (enumerator->enumerate(enumerator, &current))
327 {
328 if (streq(name, current->get_name(current)))
329 {
330 found = current->get_ref(current);
331 break;
332 }
333 }
334 enumerator->destroy(enumerator);
335 }
336 return found;
337 }
338
339 /**
340 * Implementation of uci_config_t.destroy.
341 */
342 static void destroy(private_uci_config_t *this)
343 {
344 free(this);
345 }
346
347 /**
348 * Described in header.
349 */
350 uci_config_t *uci_config_create(uci_parser_t *parser)
351 {
352 private_uci_config_t *this = malloc_thing(private_uci_config_t);
353
354 this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
355 this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
356 this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
357 this->public.destroy = (void(*)(uci_config_t*))destroy;
358 this->parser = parser;
359
360 return &this->public;
361 }
362
strongSwan - IPsec VPN